Often do we hear while taking various Ethical Hacking Training that it is extremely important to define a clear scope, rules of engagement, and pentesting contract prior to starting the engagement. How else would we get our Get out of Jail Free card right? Could someone possibility point me to some open resources of public documents one could use to form their own Pentesting Contract, Rules of Engagement, or anything else that an individual would need to get started officially with a potential client?

However, if you're serious, I'd recommend having legal counsel, who is familiar with this type of service, put something together for you. You should also get the proper insurance. Doing this wrong can ruin your career.

If anyone's interested, send me a PM, and I'll put you in touch with the guy I used. I think it was around $1000-1500 for the SoW template and contract. It's not cheap, but these are critical items to get right, and the cost of things going wrong will be substantially higher.

Although it's written with the purpose of a client engaging a tester, Penetration Testing: The Third Party Hacker, it may be helpful in covering the points a client may require. As already mentioned by ajohnson it highlights the need for liability insurance, which I don't see mentioned too often in training.

Last edited by m0wgli on Wed Apr 03, 2013 4:25 pm, edited 1 time in total.

Check with an insurance person. As mentioned, you need liability and errors/omissions coverage. They're usually aware of "technology" packages. I'm sure price varies by location. Here it was about $1500/year I believe.

As for resources, I'm not really aware of any. I can't share company documents but I can try and answer any specific questions you might have (as can others here I'm sure).